From b4f57e10455e8d48b341351d834702072123eee3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Frederik=20Hvilsh=C3=B8j?= <frederik@cord.tech>
Date: Thu, 19 Dec 2024 12:26:42 +0100
Subject: [PATCH] fix: Vary header and specific allow origin

---
 encord_agents/gcp/wrappers.py | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/encord_agents/gcp/wrappers.py b/encord_agents/gcp/wrappers.py
index f87bf37..54d28e2 100644
--- a/encord_agents/gcp/wrappers.py
+++ b/encord_agents/gcp/wrappers.py
@@ -61,18 +61,16 @@ def context_wrapper_inner(func: AgentFunction) -> Callable[[Request], Response]:
 
         @wraps(func)
         def wrapper(request: Request) -> Response:
-            # Set CORS headers for the preflight request
             if request.method == "OPTIONS":
-                # Allows GET requests from any origin with the Content-Type
-                # header and caches preflight response for an 3600s
                 response = make_response("")
+                response.headers["Vary"] = "Origin"
 
                 if not any(re.fullmatch(o, request.origin) for o in ALLOWED_ORIGINS):
                     response.status_code = 403
                     return response
 
                 headers = {
-                    "Access-Control-Allow-Origin": "*",
+                    "Access-Control-Allow-Origin": request.origin,
                     "Access-Control-Allow-Methods": "POST",
                     "Access-Control-Allow-Headers": "Content-Type",
                     "Access-Control-Max-Age": "3600",